Self Encrypting Drives (SED)

Reading Time: 2 mins

A SED, or self-encrypting drive, is a type of hard drive that automatically and continuously encrypts the data in it without any user interaction. Most of the drive manufacturing vendors in market are coming up with Full Drive encryption feature and is becoming increasingly common in solid state drives (ssd’s)

Encryption process is done through Data Encryption Key (DEK) for encrypting / decrypting the data. Whenever data is written to the drive, it first gets encrypted according to the DEK. Similarly, whenever data is read from the drive, it first gets decrypted by the same DEK before being sent to the rest of the system.

 

One of the key features of SED is Instant secure erase – Permanently encrypts data (in effect, erasing it) when the encryption key is changed. This feature also permanently changes the encryption algorithm so the drive can be re-used or re-purposed. After instant secure erase is performed, the data previously written to the drive becomes unreadable and the drive reverts to an unsecured state, just as it was delivered from the manufacturer.

Though it is easy to implement, I would personally suggest to use SED’s for laptops, which are highly susceptible to loss or theft. But FDE isn’t suitable for the most common risks faced in datacenter and cloud environments as it do not offer granular access audit logs and can’t be centrally managed. If you are using VMware vSphere with VSAN , then vSAN encryption would be better solution and there is other solution called VM encryption.

Consider an environment with multiple clusters provisioned and regularly tend to add frequent addition of hosts to the cluster, managing SED keys is extremely difficult to manage and every time you will have very cautious when adding new host to the cluster or when a drive is replaced.